Journal of Network and Computer Applications 35 (2012) 491–501

Contents lists available at SciVerse ScienceDirect

Journal of Network and Computer Applications

1084-80

doi:10.1

n Corr

E-m

Julio.He

jfuentes

journal homepage: www.elsevier.com/locate/jnca

A framework for avoiding steganography usage over HTTP

Jorge Blasco a,n, Julio Cesar Hernandez-Castro b, Jose Marıa de Fuentes a, Benjamın Ramos a

a Computer Science Department, Carlos III University of Madrid, Av. de la Universidad 30, 28911 Leganes, Spainb School of Computing, University of Portsmouth, Buckingham Building, Lion Terrace, Portsmouth PO1 3HE, UK

a r t i c l e i n f o

Article history:

Received 24 May 2011

Received in revised form

16 September 2011

Accepted 2 October 2011Available online 13 October 2011

Keywords:

Steganography

Covert channels

HTTP

Active warden

Sanitization

45/$ - see front matter & 2011 Elsevier Ltd. A

016/j.jnca.2011.10.003

esponding author. Tel.: þ34 916 248 847.

ail addresses: jbalis@inf.uc3m.es (J. Blasco),

rnandez-Castro@port.ac.uk (J.C. Hernandez-C

@inf.uc3m.es (J.M. de Fuentes), benja1@inf.u

a b s t r a c t

Steganographic techniques allow users to covertly transmit information, hiding the existence of the

communication itself. These can be used in several scenarios ranging from evading censorship to

discreetly extracting sensitive information from an organization. In this paper, we consider the problem

of using steganography through a widely used network protocol (i.e. HTTP). We analyze the

steganographic possibilities of HTTP, and propose an active warden model to hinder the usage of

covert communication channels. Our framework is meant to be useful in many scenarios. It could be

employed to ensure that malicious insiders are not able to use steganography to leak information

outside an organization. Furthermore, our model could be used by web servers administrators to ensure

that their services are not being abused, for example, as anonymous steganographic mailboxes. Our

experiments show that steganographic contents can be successfully eliminated, but that dealing with

high payload carriers such as large images may introduce notable delays in the communication process.

& 2011 Elsevier Ltd. All rights reserved.

1. Introduction

Steganography is the science that studies the techniques tohide the existence of messages (Johnson and Jajodia, 1998). Theability of sending secret messages can be useful for severalpurposes. On one hand, in a country under a totalitarian govern-ment, steganography could be used to circumvent censorship(Feamster et al., 2002), and in a more general setting it could beinstrumental for whistleblowers. On the other hand, steganogra-phy can also be used to commit malicious or criminal activities.In fact, it could be used by an employee stealing sensitiveinformation from an organization in a case of industrial espionage.Before transferring this valuable information, the employee mayhide it into innocuous looking documents. In this way, any securitycheck or network monitoring tool would not detect sensitiveinformation leaving the organization. Steganography can also helpexchange illegal content (such as child pornography) using publicresources like web servers or P2P networks as repositories, withoutthe knowledge of the owners of those resources.

Recently, the usage of steganography reached public mediacoverage when a group of spies from Russia were uncovered(McGreal, 2010). As the FBI report describes (Kachhia-Patel,2010), the spies, who infiltrated into some United States Govern-ment agencies, used a steganographic program to conceal theirintelligence reports into digital images. Those were later uploadedto public web servers, so the Russian intelligence at Moscow

ll rights reserved.

astro),

c3m.es (B. Ramos).

could download them and extract the secret messages (intelli-gence reports) after the use of a pre-shared key. Another mal-icious usage of steganography that has risen recently is tocommand and control botnets (Kartaltepe et al., 2010). Byemploying steganography, botnet owners can benefit from socialnetwork sites and transform them into infrastructures to covertlydeliver their commands. In this way, botnet administrators have acentric, fast, reliable and easy method to distribute their com-mands to multiple bots.

Avoiding such a kind of malicious steganography usage is animportant issue for organizations which hold large amounts ofsensible information, or by system administrators that do notwant their services to be used for unauthorized purposes.Although steganography can be used to create a covert channelthrough any kind of network protocol, we have focused on therestriction of HTTP for several reasons:

�

The restriction of HTTP traffic through firewalls is infeasible asit is essential for Internet communications. HTTP providesaccess to multiple kinds of services such as news, searchengines, web mail, social networks, multimedia, etc. but alsoprovides enterprise services such as Business to Businessservices, reference, documentation, etc. which are essentialfor organizations and cannot be simply blocked. � HTTP allows users to access plenty of information and con-

sumption services (YouTube, Flickr, etc.). These kind of ser-vices can be easily used by steganography users as coverrepositories and anonymous mailboxes to upload, store anddownload hidden information (Burnett et al., 2010). In thisregard, URL filtering software could be used to restrict theamount of sites a potential steganography user is able to

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501492

connect. Due to the great amount of these, it is howeverunlikely that the security administrator will be able to blockthem all.

� The usage of HTTP provides a higher anonymity level, in

comparison with other common organization wide networkprotocols such as SMTP. Although HTTP communications arenot anonymous, only the web server administrator or networknodes between the user and the web server may possesenough information to identify who accessed the serverresources. This allows to identify the possible recipients ofthe hidden messages, but not the actual recipient. Otherprotocols such as SMTP explicitly specify the recipient of theinformation when communicating to an intermediary server,so they are easier to trace.

� Finally, the usage of third party web servers as part of the

steganographic communication usually involves a violation ofthese servers’ terms of use. This kind of abuse may induceunnecessary overloads that should be actively avoided bysystem administrators.

The contribution of this paper is a framework, named Stego-Proxy, which limits the transmission of hidden informationthrough Hyper Text Transfer Protocol (HTTP). The proposedmodel hinders the usage of steganography on HTTP messagebody entities such as images, text, etc. Additionally, it avoids theusage of the HTTP protocol structure itself for steganographicpurposes (i.e. modifying HTTP headers to hide information asproposed by Dyatlov and Castro, 2003). This is achieved byactively modifying HTTP messages. In order to evaluate theproposed model, an implementation has been developed.

Our proposal enables the normal usage of HTTP connections,while hinders the existence of covert channels through these. Thiswould allow organizations to avoid information theft throughHTTP. Additionally, our scheme may allow service providers toensure clients perform an authorized usage of their services (i.e.they are not used to covertly store unauthorized material).Although our proposal is focused on HTTP it may be easilyadapted to other protocols such as SMTP, FTP, etc.

The rest of the paper is structured as follows. We describe thebasics of steganography in Section 2. The related work is sum-marized in Section 3. In Section 4, we describe the steganographiccapabilities of HTTP. The proposed framework is explained inSection 5. Section 6 depicts the performed evaluation and sum-marizes the obtained results. Finally, Section 7 gathers theconclusions and future work lines.

2. Steganography

The first model of steganography was described by Simmons(1998) as the prisoners’ problem. Simmons described two prison-ers (Alice and Bob) who want to plot an escape plan. As they arenot in the same cell, they must communicate through a warden(Wendy), that will analyze any communication between them.If Wendy ever suspects that Alice and Bob are planning to escapehe will put them into isolation cells and the escape will befrustrated. In this scenario, Alice and Bob will not be able to justuse cryptography, as encrypted messages will raise suspicions onWendy. In order to achieve their goal, Alice and Bob should hidetheir secret messages into innocuous looking ones (called covers),so Wendy will only see unremarkable messages exchangedbetween prisoners.

However, if Wendy is aware of the existence of some kind ofsteganography she may be able to detect the presence of hiddenmessages or even further destroy the covert channel betweenAlice and Bob. On one hand, if Wendy just analyzes the messages

and forwards them to their recipients, then Wendy is a passive

warden. In this case Wendy verifies if the cover contains hiddencontents or not. On the other hand, if Wendy has high suspicionsof Alice and Bob planning an escape through their messages, butshe is not able to obtain proof, she may slightly modify theexchanged messages trying to perturb any hidden information.In this case, Wendy is an active warden. Even further, Wendy maybe able to insert some information impersonating Alice or Bob,thus performing a man in the middle attack. In this case Wendy isa malicious warden. Although steganographic algorithms shouldbe robust to active warden attacks, steganographic researchershave mainly focused on the imperceptibility of hidden informa-tion while resistance against active attacks has been mostlyaddressed in other information hiding areas like watermarking(Cox et al., 2008).

Thanks to the widespread adoption of digital devices andelectronic documents, steganography has attracted the interestof researchers in the last years. Fisk et al. (2003) defined theconcepts of structured and unstructured carriers. A carrier spe-cifies the features or characteristics used to hide the informationin the cover. In this regard, a structured carrier is defined as acarrier which structure is well defined (XML files, PDF files,network protocols, etc.), while unstructured carriers do not havea defined structure (images, video, natural language, etc.). HTTP isa specially interesting and relevant case because it encompassesboth carrier types, as information can be hidden into the structureof the HTTP message (see Section 4) or into the content uploadedor downloaded by the user (images, videos, etc.).

2.1. Steganography in unstructured carriers

The increasing concerns about copyright violations of multi-media works motivated the first research efforts on informationhiding techniques for unstructured carriers. Least Significant Bit(LSB) techniques are the best known techniques, based on hidinginformation into the least significant bits of covers (Van Schyndelet al., 1994). Depending on the data representation, least sig-nificant bits can be the last bits of the RGB composition, the lastsignificant bits of the DCT transform, etc. The amount of informa-tion embedded in the image generally sets the amount ofdistortion that results in the cover image. Due to the size ofimage files, image steganography provides high capacity.A comprehensive description of several image steganographytechniques can be found in Chandramouli et al. (2004).

Audio steganography techniques allow to hide information incompressed (MP3, etc.) or uncompressed (WAV, etc.) audio files.In this regard, the concept of LSB steganography can be also usedin the audio domain. Changing the least significant bit on eachaudio sample allows to encode information without generallycreating an audible difference on the audio file. Depending on itsconfiguration, an audio file may hold up to 44 100 audio samplesfor every second, making uncompressed audio a very highcapacity carrier (Bender et al., 1996). Audio steganography canbe performed also in compressed audio files like MP3s (Petitcolas,1998).

Besides image and audio, another widely used way to repre-sent information is text. The most relevant proposals for textsteganography have been based on the concept of mimic func-tions (Wayner, 1992). Using mimic functions, NICETEXT(Chapman and Davida, 1997) is able to transform a secretmessage M into a seemingly innocuous text T which containssentences in natural language. Grothoff et al. (2005) propose toembed information into the noise and errors produced by auto-matic translation systems. In this way, new errors and noisedetected on the steganographic text would be attributed to theautomatic translation system. Particular language and

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501 493

expressions used in some contexts can be also used to introducehidden information. Shirali-Shahreza (2006) proposes to takeadvantage of the language used on short text messages to hidesecret messages.

Timing and order of packets in network protocols are alsounstructured carriers that can be used to hide information. In thisregard, Ahsan and Kundur (2002) propose to hide information inthe order of TCP and IP packets. As TCP provides with areassembly mechanisms, they studied how to embed informationin such a way that packets are rearranged depending on the secretto transmit. A generalization on the steganographic possibilitiesof ordered channels was presented in Chakinala et al. (2007).

2.2. Steganography in structured carriers

Although network protocols can be used as unstructuredcarriers (i.e. timing channels), the network protocol structure alsoallows to create covert communication channels. Fisk et al. (2003)identified some methods to embed hidden information on TCP,UDP, ICMP or IP header fields. Fields such as options or paddingcould be used to insert additional hidden information. A completesurvey of structured network covert channels can be found inZander et al. (2007).

Document formats such as Microsoft Word (Park et al., 2009)and PDF files (Zhong et al., 2007; Lee and Tsai, 2010) can be usedto hide information. In the former article, authors propose toactually hide information using redundancy in the MicrosoftOffice 2007 document format (OOXML), which is based on XML.Specifically, authors use unknown relationships and parts, whichare elements of the OOXML that are not shown by any Officeprogram, but are saved and can not be modified within the Officesuite. In the latter proposal, information is embedded intoimperceptible changes on character, word, and line spacings.

1 http://www.guidancesoftware.com/.2 http://www.porcupine.org/forensics/tct.html

3. Related work – fighting against the usage of steganography

Even though steganography is not a threat by itself, itsmalicious usage entails a threat that must be addressed. Detectionand/or elimination of steganography are the most commonmethods to fight its usage. Detection techniques try to tellwhether steganography has been used or not. Elimination tech-niques try to actively destroy or alter the hidden information, asthe active warden in Simmons’ scenario.

3.1. Steganography detection

Steganalysis studies the security of steganographic algorithms.A steganographic algorithm is considered secure if it is notpossible to statistically distinguish between a cover with hiddeninformation and a clean one (Cox et al., 2008). Once the mereexistence of hidden information has been detected, the purpose ofsteganography has been defeated, so the algorithm is consideredbroken. There exist several types of steganalysis. A targeted

steganalysis uses the knowledge about the steganographic tech-nique to detect stego-objects created with that specific technique,while blind steganalysis aims to distinguish if a file has somehidden information with no information about the used stegano-graphic technique. Usually, steganalysis techniques are based onstatistical models of clean files, used to design classifiers that areable to detect files with hidden information because they differfrom this underlying model.

Blind and targeted steganalysis techniques have been greatlystudied on digital images (Fridrich and Goljan, 2002). In audio,Geetha et al. (2006) identify audio quality metrics as a statisticallydistinguishable feature between stego-objects and cover audio

files. Using a genetic algorithm, they are able to build a distin-guisher that told apart up to 80% of stego-audio files. Targetedapproaches such as Hernandez-Castro et al. (2010) have also beenproposed, enabling in this case to detect hidden informationembedded through MP3Stego (Petitcolas, 1998).

Steganalysis techniques also target faulty implementations ofsteganographic algorithms. Bell and Lee (2010) found that moststeganographic algorithm implementations modify the headers ofthe cover used when embedding information. This is producedbecause the steganographic algorithm has not been correctlyimplemented, removing most of the metadata of the originalcover. Authors prove that most steganographic applicationscreate stego-objects with new metadata instead of using originalmeta-information, thus greatly easing the detection of stego-objects by these characteristic new headers. Both MP3Stego andOutguess are vulnerable to this kind of attack (Petitcolas, 1998;Provos, 2001).

An architecture for implementing steganalysis techniques wasaddressed in Liu et al. (2009). Authors propose a system to detectsteganographic content transmitted through network protocols inreal time. Authors use statistical and signal processing techniquesto extract features used as input for steganalysis algorithms. Theirapproach focuses on video covert channels, as authors acknowl-edge the limitations on the scalability of their system whentargeting multiple steganographic algorithms. Another relatedproposal is Potdar et al. (2005). In this, authors propose an agentbased architecture to detect and extract hidden information fromweb sites.

Another way to detect the usage of steganography is by findingthe presence of steganographic programs used to hide or embedinformation. Zax and Adelstein (2009) identified the main foren-sic artifacts of steganographic applications. These, along withforensic software such as Encase1 or The Coroner’s Toolkit2 mayallow the detection of steganography applications, thus providinga way to alert and even take countermeasures such as forbiddingthe execution of those applications. This approach is useful ifthere exists the possibility of monitoring the suspicious computer(i.e. a malicious employee inside an organization).

3.2. Steganography elimination

Steganography elimination techniques try to eliminate possi-ble covert channels without disrupting legitimate communica-tion. The active warden of Simmons’ scenario uses these kind oftechniques to hamper covert communication between Alice andBob. The main issue in these kind of techniques is how toeliminate the hidden information without changing the percep-tion of the transmitted object, as the purpose is to break the covercommunication, but not to render the legitimate channel unusa-ble. The most common active warden technique is overwritingpossible hidden information carriers with random noise.

The process of eliminating the covert channel is also calledsteganographic sanitization. Whitehead (2005) sanitized imagedata by overwriting redundancy sources of images (LSB, DCT, andDWT). Their approach showed no visual impact on the sanitizedimages. The requirements of the sanitization process (average of175 ms per image), made it suitable for use on networks.

Fisk et al. (2003) introduced the concept of Minimal RequisiteFidelity (MRF). MRF measures the degree of fidelity that is bothacceptable for the end user and the communication (i.e. routers,network cards, system kernels, etc.). On structured carriers, MRFis a measure that quantifies the amount of information that can

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501494

be modified without destroying the semantics of the modifiedobject while on images and videos (unstructured) it can becalculated through human perception. In their work, Fisk et al.identified features of TCP/IP packets that may lead to covertcommunications such as window size, packet order, source ports,padding bits, etc. They described a sanitization process to deletethe hidden information that was inside the boundaries of the MRFfor TCP, UDP and ICMP communications.

Additionally, Schear et al. (2006) introduced a framework toavoid information leakage through public web servers. Their systemuses a warden that must allow a document to be published into apublic web server. The warden (which may be a human or amachine) is in charge of checking if the document contains sensitiveinformation (as defined by the organization security policy). Anydocument not previously vetted is filtered by a gateway that hasdirect communication with the warden. To avoid informationleakage through a compromised web server, authors propose torewrite sent headers, as they could be used to exfiltrate information.This system does not overwrite possible steganographic carriers, buttries to detect hidden information before vetting a document.

On other contexts, commercial proxies, such as SafeSquid,3

allow content and URL filtering based on security policies definedby the organization. This kind of proxies are focused on limitingthe resources the employee access (i.e. social networks, personalsites, etc.) from inside the organization as well as protecting themfrom accidentally downloading viruses, etc. from malicious websites. Nevertheless, to the best of the authors knowledge there isno implementation of such proxies that eliminates stegano-graphic content of HTTP connections.

Although previous approaches have studied methods andtechniques to limit the capacity of covert channels, none of themhave proposed an actual solution that may avoid its usage in realscenarios (such as communicating covertly through HTTP).Previous presented approaches have allowed improvements onthe active warden scenarios, but they are not able to protectagainst covert channels through HTTP communications, as theyonly take into account some of the possible features whereinformation might be hidden. We propose a model that allowsto reduce the capacity of covert channels created through anapplication network protocol (specifically HTTP). Our model couldbe easily adapted for other network application protocols. Thiscould serve to ensure that the HTTP protocol is not being used tocovertly transmit non-negligible amounts of information, as wellas to make certain that some services, which may be used totransmit and store hidden information, are used according to theterms of use accepted by the user.

4. Covert channels over HTTP

The Hyper Text Transfer Protocol (HTTP) is defined in RFC2616. HTTP is a widely used application protocol that supportstransmission of any object that can be defined through a MIMEtype. It is a stateless protocol that works over TCP connections. Itworks on a request–response basis. Each time a client requests aresource, the HTTP server replies with a response for thatresource. The version 1.1 of the protocol allows to maintain theTCP connection between different pairs of request–responses.

HTTP request and responses are very similar in their structure.A message is composed by a message start line, a set of headersand a message body. The message body is separated from theheaders by an empty line ended with \r\n. The message start linedepends whether the message is a request or a response. On

3 http://www.safesquid.com

requests, the start line is named request line and is composed bythe method to use, the universal identifier (URL) of the requestedresource and the HTTP version (now 1.1). On responses, the startline is named response line and is composed by a status codefollowed by a description of that code and the HTTP version used.HTTP headers are pairs of header name—value separated with ‘:’.The message body is used to transmit any data associated withthe request or the response. HTTP uses MIME types to describethe message body contents.

HTTP can be used as a covert channel to allow the exchange ofinformation between two users. Depending on the users and theintended applications, there are two main possibilities. First, auser establishes a covert communication between him and a webserver. In this case information can be hidden in both the contenttransmitted and the structure of the HTTP messages. Second, auser establishes a covert communication between him andanother user. In this case, both use the HTTP server as a hostingservice (intermediary) for exchanging their messages. The HTTPserver is usually unaware of the fact that it is being used for anunauthorized purpose. In this scenario, information is exchangedusing the body of the HTTP messages, as the other party does nothave access to the HTTP headers. This model was described insome depth by Jones (2001).

Burnett et al. (2010) propose the usage of image stegano-graphic algorithms to create a covert channel through an imagesharing web site (i.e. Flickr). Authors built a software that iscapable to hide secret messages into images that are thenuploaded to Flickr. Users who want to read a secret messagehave just to configure a client application to access the Flickrprofile of the sender and use a pre-shared password. Images areuploaded through HTTP connections. Although authors proposetheir system mainly to avoid censorship, it could also be used toexfiltrate sensitive information from an organization network.

Feamster et al. (2002) suggest the usage of a HTTP covertchannel to avoid censorship on the web. In this, a web serverauthorized by the censors, but outside their control, works as aconscious intermediary between the client and unauthorized webservers. To perform a request to censored content, the client sendsan innocuous request to the accomplice web server. Theunauthorized URL is hidden inside the URL of the innocuousrequest. The accomplice web server accesses the censored contentand hides it (using image steganography) on an image that is sentback to the client as response to the innocuous URL request.

Dyatlov and Castro (2003) describe different characteristics ofHTTP messages that may be used to transfer information in acovert fashion. These include modifications on header order,structure and contents. As an example, Horenbeeck (2006) pro-poses the usage of Entity tag headers (which value is determinedby web server implementations) to send information to clients.Entity tag headers are used to know if a specific web site contentrequires to be downloaded again (through the usage of the ‘‘if-no-match?’’ header). Clients may also modify the entity tags theysent to transmit cover information to the web server.

Besides previous presented approaches, a HTTP packet canhide information in the following elements:

�

HTTP Version: Both client and server may modify the versionof the HTTP protocol they are using to communicate in orderto transmit some bits of information. However, this kind ofbehavior would be easily detected by a careful observer, as itwould not be usual to change the HTTP version of the protocolduring consecutive requests from the same machines, so thisapproach is not recommended. � Content: Section 2 describes some techniques to hide informa-

tion in carriers such as images, audio, text or document files.As HTTP allows to transmit these in the message body, hiding

Fig. 1. Working scenario diagram.

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501 495

information in such carriers would allow to establish a covertchannel through HTTP. This approach is used in Burnett et al.(2010) with images uploaded to Flickr as carriers.

5. A model to hinder steganography over HTTP

The proposed model, StegoProxy, aims to forbid the usage ofcovert channels through HTTP. In this Section, the workingscenario for the proposed model is presented (Section 5.1) alongthe definitions of concepts which are used to build the model(Section 5.2). Section 5.3 describes the functional components ofthe model. The HTTP message sanitization process is explained inSection 5.4. Finally, the security of the proposed model isanalyzed in Section 5.5.

5.1. Working scenario

To illustrate the aims of our system, we consider the followingscenario (Fig. 1). A disgruntled employee Alice who has access toorganization’s sensitive information wants to transmit it to anunauthorized recipient (Bob). Alice may directly send the sensitivedocuments to Bob by mail, but traces at the mail server wouldindicate that Alice contacted an outsider and sent him sensitiveinformation. This would ease Alice’s prosecution. Instead, Alice

could use a steganographic program to conceal the sensitiveinformation and send it as an innocuous looking message (i.e.image) to Bob. If the malicious behavior is discovered, an auditmay find Alice suspect, as she has sent strange messages to anunknown recipient. However, Alice could upload the hiddensensitive information (in an innocuous image) to a public webserver (i.e. Twitpic4) (1). If Bob (the intended recipient for Alice

hidden messages) is the administrator of the web service used byAlice, he will just have to extract the hidden information fromAlice messages (3b). If Bob is another web service user, he willhave to access as any other user but also extract the hiddeninformation (3a). In this case, his identity will only be revealed tothe web service where the hidden content is stored. Therefore, hisidentity remains unknown to Alice’s organization, as many otherusers may have accessed the same information (2).

Based on the previous scenario, our system can be placed at anetwork infrastructure for two purposes: destroy any possiblehidden communication going outside a specific network, oreliminate any kind of covert communication coming into a net-work. In the former, a malicious insider might be using thenetwork to transfer sensitive information outside an organization.We need to assume that the insider has not enough privileges tochange packet routing, which is a reasonable assumption in mostcases. In the latter, a computer resource such as a public webserver may be used to transfer that sensitive information. As thesetwo networks will probably be controlled by different organiza-tions, they both must protect against these kinds of attacksseparately. The proposed framework takes this issue into accountas it allows to filter both incoming and outgoing HTTP connec-tions. Besides the previous scenario description, we also assumethe following constraints:

�

con

Systems used inside a controlled network can not be fullyaccessed or controlled. This is reasonable because of lawrestrictions on employees’ privacy. Thus, it is only possible tocontrol network communications.

�

4 This service is used by Twitter users to share images and other multimedia

tent such as videos. http://www.twitpic.com.

Usages of unknown or not explicitly allowed network proto-cols inside the controlled network can be forbidden. Other-wise, these protocols could be used to establish additionalcovert channels.

� Protocols such as SMTP, IMAP, etc. are not taken into account.

Nevertheless, our framework could be easily adapted to workunder those protocols.

5.2. Definitions

The proposed model eliminates steganographic content bysanitizing possible carriers of steganographic information. Forsuch a purpose, our framework is based on the concepts ofSteganographic Unit and Minimum Request Fidelity.

Definition 1. A Steganographic Unit is defined as the minimumamount of semantic information that allows the transmission ofhidden information, thus, the creation of a covert channel.

Any part of a HTTP message that can be changed withoutmodifying the semantics of the message can be considered as asteganographic unit. Steganographic units shall not be confusedwith the information carriers. As an example, two unstructuredcarriers such in the form of text can refer to different stegano-graphic units: the user agent definition and the text from a webpage. Additionally, a steganographic unit may hold up more thanone carrier. In fact, an image may have embedded informationinto their DCT coefficients (or other image characteristic) or in itstextual metadata.

Definition 2. The Minimum Request Fidelity (MRF) describes themaximum changes an object can support until it can not beconsidered semantically the same object (Fisk et al., 2003).

In our case, we apply MRF to steganographic units. As HTTPallows both structured and unstructured carriers, our system willhave to take into account the MRF for both kind of carriers.

5.2.1. Model overview

Once implemented on an organization, the proposed modelhinders the usage of steganography through HTTP. Each time amessage arrives to StegoProxy, it is fragmented in several stega-nographic units. Each steganographic unit passes through a

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501496

sanitization process that may include the execution of severalsanitizers (one per possible steganographic carrier). Once allsteganographic units have been sanitized, the HTTP message isbuilt back and sent to the destination web server.

Depending on the organization’s aim, StegoProxy can bedeployed in different network placements. If the main goal ofStegoProxy is to stop possible information leakages through HTTPconnections, it should be placed as a transparent proxy at theInternet gateway (Fig. 2). To reduce the added overload, severalStegoProxies can be deployed to work in parallel. In this way, allHTTP messages from inside the organization will have to passthrough StegoProxy. On the other hand, if the aim is to ensurethat a web service is not being used as an anonymous mailbox forcovert communications, the proxy may be placed after the webserver captures the request, but before it is processed and passedto the web application (as in Fig. 3).

5.3. Components

As shown in Fig. 4, our system comprises four main compo-nents: the HTTP inspector, the steganographic detectors, thesteganographic unit sanitizers and the HTTP assembler.

5.3.1. HTTP inspector

This component analyzes incoming packets and divides theHTTP messages into steganographic units SUi that will be laterprocessed. Steganographic units are created using a database thatcan be expanded when new carriers are discovered on HTTPcommunications. Steganographic units can transport hidden

Fig. 2. StegoProxy placement inside an organizat

Fig. 3. StegoProxy placement to avoid the abuse

information using more than one carrier. As an example, a textmay have embedded information in the number of spaces it hasor in the usage of uppercase letters.

5.3.2. Steganographic detectors

A steganographic unit may use several carriers to covertlytransmit information. A steganographic detector implements asteganalysis distinguisher for a specific carrier (it may use blind,targeted or both kinds of steganalysis). Each steganographic unitcarrier is passed through its detector to detect possible stegano-graphic content. If hidden information is detected, the carrier issanitized.

However, current steganalysis algorithms produce non-negli-gible false positives and negatives (Li et al., 2009; Liu et al., 2011).Thus, if a steganalysis algorithm is not accurate enough, it wouldbe possible to transmit practical amounts hidden information. Asthe goal of the proposed model is to reduce the steganographiccapacity of HTTP, the usage of steganographic detectors is optional.If not used for a specific carrier, all steganographic units includingsuch carrier have to pass through a sanitization process.

5.3.3. Stego unit sanitizers

A sanitizer Sj removes the steganographic information thatmay be transmitted through a carrier j. In order to remove allpossible steganographic communications through the carrier j asanitizer may implement more than one sanitization process. Wedefine a targeted sanitization process (as in targeted steganalysis)as the process that removes, from a steganographic unit SUi,information hidden through a specific steganographic algorithm.

ion to avoid outwards HTTP covert channels.

of a webserver as a steganographic mailbox.

Fig. 4. StegoProxy components and process diagram.

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501 497

A blind sanitization process is defined as the process that removesinformation hidden in a specific carrier j independently of thealgorithm used.

If a sanitizer includes more than one sanitization process, theymust be executed sequentially over each steganographic unit(Fig. 4). Both kinds of sanitization processes must take into accountthe MRF when performing their modifications to the steganographicunit. Additionally, as a steganographic unit can hide information inmore than one information carrier, some steganographic units mayhave to pass through several sanitizers. In such a case, sanitizers arealso applied sequentially. It must be taken into account thatsanitizers may be not deterministic (i.e. adding random noise tosteganographic units).

5.3.4. HTTP assembler

This component assembles all sanitized steganographic unitsand builds back the HTTP message. The sanitized HTTP message isthen delivered to its recipient.

5.4. HTTP message sanitization process

The proposed model allows to eliminate steganography fromincoming and outgoing HTTP connections. The sanitization pro-cess is independent from the communication direction, as itworks over HTTP messages. The following lines describe theprocess performed by StegoProxy (Fig. 4):

�

The HTTP message M is disassembled by the Inspector I insteganographic units: IðMÞ ¼ fSU1,SU2, . . . ,SUig. Each stegano-graphic unit may hold different carriers SUi ¼ fC1,C2, . . . ,Cjg. � For each carrier in each steganographic unit, check for hidden

information with a steganographic detector. If SDðCjÞ ¼ true orSDðCjÞ does not exist, apply sanitizer for carrier Cj.J Apply a sanitizer Sj to a steganographic unit to remove its

steganographic payload: SjðSUiÞ ¼ SjðfC1,C2, . . . ,CjgÞ ¼

fC1,C2, . . . ,SjðCjÞg ¼ fC1,C2, . . . ,Cj�1g. A sanitizer is com-posed by a set of sanitization processes (targeted or blind)which are applied sequentially Sj ¼ fSj1

,Sj2, . . . ,Sjk

,g.J Once a steganographic unit SUi has passed through all

its corresponding sanitizers S1,S2, . . . ,Sj according totheir carriers, it results in a sanitized steganographic unitSSUi.

�

Once all steganographic units have been sanitized, theAssembler A ensembles again the HTTP message using allsteganographic sanitized units: AðSSU1,SSU2, . . . ,SSUiÞ ¼Ms

Algorithm 1 describes the message sanitization process. Thisversion of the algorithm includes the usage of steganographicdetectors. Nevertheless, depending on the accuracy of a givensteganographic detector SDj, it may be necessary to pass all stegano-graphic units that include that carrier Cj through the steganographicsanitizer Sj.

Algorithm 1. HTTP message sanitization algorithm.

Data:

M, HTTP message received by StegoProxy; SUDB,Steganographic unit databse; CDB, Carrier Database; S,Set of available sanitizers; I, HTTP message inspector; A,HTTP message assembler

begin

# HTTP Message inspection

Set SU ¼ fSU1,SU2, . . . ,SUig’IðMÞ

Set SU0’SU

# Sanitization: For each steganographic unit

for SUi in SU0 do

# For each carrier inside the steganographic unit

for Cj in SUi do

if SDj exists for Cj then

if SDjðCjÞ ¼ true then

bSet SUi’SjðSUiÞ

$else

bSet SUi’SjðSUiÞ

66666664

66666666666664

�����������������������������# Message AssemblySet M0’AðSU0Þ

end

5.5. Security analysis

The proposed framework allows to sanitize both incoming andoutgoing HTTP connections. Under the presented scenario, anattack to our proxy can be considered successful if any user is ableto establish a usable covert communication channel through theHTTP protocol. We have identified three main attacks that may

Fig. 5. HTTP message sanitization process with implemented sanitizers.

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501498

lead to this situation: denial of service attacks, usage of nonidentified or removable information carriers and circumventingStegoProxy.

A denial of service (DoS) attack tries to interrupt the author-ized access of legitimate users to a resource or server. A DoS couldoverload StegoProxy in such a way that it is not able to sanitizeconnections in real time, drastically slowing the navigation speed.To avoid being unable to use a fundamental network protocol,StegoProxy should be disabled, being the HTTP traffic unchanged.This kind of attack, when performed outside the organization,could be detected using security solutions such as IntrusionDetection Systems (IDS). An attack of such kind from inside theorganization would be infeasible, as it would leave traces onnetwork systems that could lead easily to the inside attacker.

Another way to stop StegoProxy from hampering the creationof covert channels through HTTP would be to use HTTP fieldswhich modification is beyond the MRF for HTTP. Feamster et al.(2002) propose a system to evade censorship on the web. Theyuse the Uniform Resource Locator (URL) of each request sent to anaccomplice web server to hide the real URL the user wants toconnect. The content of real URL is hidden in an image that istransmitted to the censored client through the HTTP response.The proposed framework is able to eliminate hidden content fromthe image included in the response, but can not eliminate thehidden URL transmitted by the client. Using this scheme authorsrequired an average of four HTTP requests to hide an URL.Therefore, the transmission of sensitive information wouldrequire a huge number HTTP request to the same server. In ourscenario description (Section 5.1) we specify that the attackerdoes not have control over the network configuration. Never-theless, HTTP messages could be encapsulated through otherprotocols such as DNS (Horenbeeck, 2006). Using other protocolsfor such a purpose is equivalent to use them as covert channels.Applying the proposed framework to those protocols or restrict-ing its usage through firewall rules would enforce that all HTTPmessages pass through StegoProxy.

5 StegoProxy is available at http://stegoproxy.sourceforge.net/.

6. Evaluation

In order to evaluate the validity of our proposal, we haveimplemented StegoProxy as a HTTP Proxy. This implementation,

in Java, is a proof-of-concept tool, not focused on providingoptimum performance, despite the fact that StegoProxy is ableto handle several HTTP request at the same time, as a standardHTTP Proxy.5

We have evaluated the efficacy and efficiency of the Stego-Proxy implementation using sanitizers for several kinds of imagesand HTTP headers. The current implementation of StegoProxydoes not use steganographic detectors. In terms of efficacy, weevaluate if StegoProxy is able to remove steganographic contentfrom images sent through HTTP to web services. In terms ofefficiency, we have measured the delay that the HTTP sanitizationprocess introduces in the HTTP message exchange process.

6.1. Implemented sanitizers

The current StegoProxy implementation is focused on elim-inating steganographic content in images (which is the mostpopular steganographic carriers) and headers. Specifically wefocus on eliminating least significant bit (LSB) steganography onBMP, JPG and GIF images (Petitcolas et al., 1999) together withsteganography based on GIF shuffling (Kwan, 2003). Additionally,we have included a sanitization process for different headers suchas Server, User Agent, etc. Obviously, our implementation canbenefit from the design of more sanitizers, something we plan tocontinue doing for improving the tool.

LSB BMP: Least significant bit techniques modify the leastsignificant bits of a certain part of an image to embed informa-tion. Embedded information (which is usually encrypted) intro-duces statistical changes in the least significant bits that makes itpossible to detect it (Fridrich et al., 2001). However, severalapproaches such as randomization of the embedding locationand reducing the image capacity can be used to difficult thedetection of steganographic content using LSB in BMP images(Mielikainen, 2006).

Our LSB BMP sanitizer rewrites randomly the two leastsignificant bits of the three components of random selectedpixels. One quarter of the image pixels are randomly rewritten.Under these constraints, the probability of not modifying animage pixel that was used to embed information would be

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501 499

pnot modified ¼ pembedding � ð1�psanitizingÞ where pembedding is the prob-ability of embedding information into one pixel of the image andpsanitizing is the probability of overwriting the least two significantbits of a pixel (in this case psanitizing ¼ 1=4).

The implemented sanitizer overwrites a quarter of the totalnumber of pixels pnot modified ¼ pembedding � 0:75. Therefore, in thisscenario the probability of an image not having any pixel withhidden information modified is ppixels

not modified ¼ ðpembedding � 0:75Þpixels

where pixels is the number of pixels in the image.LSB JPG: This image format uses a lossy compression algorithm

to reduce image size in bits. To compress an image, a discretecosine transform (DCT) is applied to 8�8 pixel blocks. Then, theobtained amplitudes of the frequency components are quantified.Low frequency components are stored with higher resolutionthan high frequency components. Least significant bit stegano-graphy in JPG format uses the same philosophy as the LSB on BMPimages, but instead changes the least significant bits on the highfrequency components of the DCT transforms to embed informa-tion. In our sanitizer, we overwrite the two least significant bits ofthe bitmap generated by the BMP image as in the LSB BMP, andcompress again the generated image. This modifies the DCTcoefficients eliminating the possible hidden information. Modifi-cations to the least significant bits on JPG images have moreimpact than modifications performed on same bits of BMPimages. This is perfectly natural, due to the smaller degree ofredundancy due to the higher compression.

GIF: The Graphics Interchange Format (GIF) enables 256 colorimages. In a GIF image, first a set of 256 colors is defined as anindex. Each pixel is mapped to the color index using a byte. Whenusing LSB GIF steganography, the least significant bits used todefine a color in the index are changed, thus, changing all theappearance of all pixels pointing to that color. As GIF imagesusually include a very specific set of colors, the detection ofsteganographic images using this technique is difficult. We avoidthe usage of GIF steganography by overwriting with randominformation the least significant bits of the defined colors.

Another steganographic technique used in GIF images ismodifying the order of the 256 color index. Modifying color index

Table 1Test images features.

Image Originalsize (MB)

Outguesssize (KiB)

Steghidesize (MB)

Pixel size

Image 1 2.2 837.7 2.2 2592�1936

Image 2 2.0 746.3 2.0 2592�1936

Image 3 2.5 938.8.3 2.5 1936�2592

Image 4 2.1 820.1 2.1 2592�1936

Image 5 1.9 708.5 1.9 2592�1936

Fig. 6. Example of image used during the experiments (Image 3) in its original form,

through Steghide.

can be used to encode information and does not change the realappearance of the image, as pixels are modified to point to thenew color index. To defeat this steganographic technique, werandomly shuffle the color index, eliminating any possible infor-mation encoded in the order of the colors.

HTTP headers: As mentioned in Section 4, HTTP headers canalso be used to transmit information. In the presented imple-mentation, two sanitizers have been implemented for HTTPheaders. The content of the following headers in each HTTPmessages have been rewritten:

�

wit

User-Agent: It is rewritten with a predefined user agent definedin StegoProxy.

� Date: if it does not fit the local time or a modification allowed

by other time zone is randomly modified. Additionally it israndomly modified by introducing a random 10 s error gap.

� Server: It is normalized against a set of possible servers (i.e. all

servers referencing an Apache server are normalized to‘‘Apache Server’’).

� Accept: It is rewritten with a predefined header defined in

StegoProxy.

� Accept-Encoding: It is rewritten with a predefined header

defined in StegoProxy.

� Accept-Language: It is rewritten with a predefined header

defined in StegoProxy.

Additionally, the order in which headers are transmitted israndomly modified to avoid the transmission of hidden informa-tion through the order of HTTP headers.

Figure 5 depicts the HTTP message sanitization process for theimplemented StegoProxy.

6.2. Experimental setup

Our experimental setup covers the first mentioned scenario.That is, a malicious employee tries to steal information from itsorganization using a steganographic program to hide informationinto images and then transmit those images to a web service. Inthis scenario, the proxy will be placed at the organization gate-way filtering all the outgoing traffic. The second scenario, inwhich a web server is protected against unfair use, is equivalentto the first one with the only difference that instead of sanitizingrequests, StegoProxy processes web server responses.

To perform our tests we used five images. For each image, weembedded a random message using ‘‘Steghide’’ and ‘‘Outguess’’(Table 1). Additionally, random information was embedded in theimplemented HTTP headers content and order. All generatedimages were uploaded to Twitpic with and without using the

h embedded information through Outguess and with embedded information

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501500

stegoproxy. Figure 6 shows the original image used in ourexperiments along the versions with hidden information throughthe aforementioned steganographic programs.

We measured the time it took to complete the POST requestwhen using and not using StegoProxy. For the experimentsperformed with StegoProxy, we also calculated the time it tookto dissemble the HTTP requests, to sanitize and to ensemble themagain. Figure 7 shows graphically the aforementioned time gaps.Each image upload was repeated five times. In our experiments,StegoProxy runs on a Core 2 Duo machine at 3 GHz while requestsare generated by other computers in the same network segment(with no significant traffic at the time when experiments wereperformed).

6.3. Results

All images sent to Twitpic were later downloaded to check forhidden content. We were unable to extract the hidden contentfrom images sent through StegoProxy. Information transmittedinside the HTTP headers was lost due to the header rewritingoperation performed by the HTTP header sanitizer. Results showthat StegoProxy is able to eliminate steganographic content from

Client StegoProxy Twitpic

Post request

Post response time

Diassembly time

Sanitization time

Assembly time

Response generation

time

Sanitized Post request

Response

Response

Fig. 7. HTTP message process during the experiments and measured time gaps.

Fig. 8. Average times measured d

images transferred through the network without interruptingHTTP communications or introducing any human perceptibledistortion on sanitized images. However, the sanitization processincreased significantly the time required to upload the images toTwitpic.

Figure 8 shows the average time measured with the threekinds of images used during the experiments. Approximately, theimage upload process takes up to three times more. AlthoughOutguess images are smaller in file size, the sanitization time isvery similar to other images as the sanitization process does notdepend on the file size but on the number of pixels.

Although this result may hinder the feasibility of our approach,images used during the experiments were up to 2.5 MB. Usingsmaller images would reduce the amount of time required forsanitization. Additionally, an improved implementation or itsusage on a specific purpose machine would obviously improvethe measured results by a large margin. It is also important tonote that StegoProxy can be parallelized in multiple machines.

7. Conclusions and future work

In this work we address the usage of steganography overpopular network protocols such as HTTP. We have proposed aframework to limit the usage of steganography and covertchannels through HTTP. Using steganography over HTTP couldallow malicious employees to steal sensitive information fromtheir organizations. Steganography over HTTP could also be usedto control botnets and transmit user sensitive information.Depending on the scenario, HTTP steganography can take advan-tage of certain web services such as photo sharing sites as remotestorage, using the aforementioned services for unauthorizedpurposes. However, current security policies can not blockthis kind of covert channels effectively, as the HTTP protocol isalmost essential for network communications and Internetconnectivity.

We have proposed a general framework that reduces thesteganographic possibilities of the HTTP protocol. Our frameworkallows to implement different sanitizers that eliminate hiddencontent from any kind of information transmitted through HTTP.Although our framework reduces drastically the amount ofinformation that can be sent covertly, it does not eliminate allcovert channels. Low bandwidth covert channels are still

uring StegoProxy evaluation.

J. Blasco et al. / Journal of Network and Computer Applications 35 (2012) 491–501 501

available. Our approach allows to control both incoming andoutgoing HTTP requests, being able to mitigate the maliciousinsider and the computer misuse risk.

Our evaluation shows that the usage of StegoProxy introducesperceptible delays to users communications. Nevertheless, ourimplementation is far from perfect. An improved (non-Java-based) implementation and a better hardware environmentwould significantly increase the overall performance of ourimplementation. On the other hand, our main aim was achieved:We were unable to recover any of the hidden information sentthrough StegoProxy.

Our future work will involve the extension of this approach toother communication protocols such as SMTP, P2P protocols, etc.Additionally, implementation of new sanitizers would help toprovide protection against more information carriers. We believethis work could be useful to protect organizations from attackssuch as information theft, also providing unaware intermediaries(such as web servers) a mean to protect against an unauthorizedusage of their services.

References

Ahsan K, Kundur D. Practical data hiding in TCP/IP. In: Proceedings of theworkshop on multimedia security at ACM multimedia. vol. 6; 2002, /http://ee.tamu.edu/�deepa/pdf/acm02.pdfS [Accessed on April 2011].

Bell G, Lee YK. A method for automatic identification of signatures of stegano-graphy software. IEEE Transactions on Information Forensics and Security2010;5(2):354–8.

Bender W, Gruhl D, Morimoto N, Lu A. Techniques for data hiding. IBM SystemsJournal 1996;35(3):313–36.

Burnett S, Feamster N, Vempala S. Chipping away at censorship firewalls withuser-generated content. In: Proceedings of the 19th USENIX conference onsecurity. , USENIX Association, USENIX Security 2010; 2010. p. 29–45.

Chakinala R, Kumarasubramanian A, Manokaran R, Noubir G, Rangan C, SundaramR. Steganographic communication in ordered channels. In: Information hiding.Lecture notes in computer science, vol. 4437. , Berlin/Heidelberg: Springer;2007. p. 42–57.

Chandramouli R, Kharrazi M, Memon N. Image steganography and steganalysis:concepts and practice. In: Digital watermarking. Lecture notes in computerscience, vol. 2939. , Berlin/Heidelberg: Springer; 2004. p. 204–11.

Chapman M, Davida G. Hiding the hidden: a software system for concealingciphertext as innocuous text. In: Information and communications security.Lecture notes in computer science, vol. 1334. , Berlin/Heidelberg: Springer;1997. p. 335–45.

Cox IJ, Miller M, Bloom J, Fridrich J, Kalker T. Digital watermarking andsteganography. 2nd ed. Morgan Kaufmann; 2008.

Dyatlov A, Castro S. Exploitation of data streams authorized by a network accesscontrol system for arbitrary data transfers: tunneling and covert channels overthe HTTP protocol. Technical Report; Gray-World; 2003, /http://gray-world.net/projects/papers/covert_paper.txtS [Last accessed on February 2011].

Feamster N, Balazinska M, Harfst G, Balakrishnan H, Karger D. Infranet: circum-venting web censorship and surveillance. In: Proceedings of the 11th USENIXconference on security. , USENIX Association, USENIX Security 2002; 2002.p. 247–62.

Fisk G, Fisk M, Papadopoulos C, Neil J. Eliminating steganography in internet trafficwith active wardens. In: Information hiding. Lecture notes in computerscience, vol. 2578. , Berlin, Heidelberg: Springer; 2003. p. 18–35.

Fridrich J, Goljan M. Practical steganalysis of digital images-state of the art. In:Society of photo-optical instrumentation engineers (SPIE) conference series.Presented at the society of photo-optical instrumentation engineers (SPIE)conference, vol. 4675; 2002. p. 1–13.

Fridrich J, Goljan M, Du R. Reliable detection of LSB steganography in grayscale andcolor images. In: Proceedings of ACM workshop on multimedia and security;2001. p. 27–30.

Geetha S, Sindhu S, Gobi S, Kannan A. Evolving GA classifier for audio steganalysisbased on audio quality metrics. In: ICISIP 2006. Fourth international con-ference on intelligent sensing and information processing. , ICISIP; 2006.p. 105–8.

Grothoff C, Grothoff K, Alkhutova L, Stutsman R, Atallah M. Translation-basedsteganography. In: Information hiding. Lecture notes in computer science, vol.3727. , Berlin/Heidelberg: Springer; 2005. p. 219–33.

Hernandez-Castro J, Tapiador J, Palomar E, Romero-Gonzalez A. Blind steganalysisof Mp3stego. Journal of Information Science and Engineering 2010;26(5):1787–99.

Horenbeeck MV. Deception on the network: thinking differently about covertchannels. In: Proceedings of 7th Australian information warfare and securityconference; 2006. p. 174–84.

Johnson N, Jajodia S. Exploring steganography: seeing the unseen. IEEE Computer1998;31(2):26–34.

Jones E. Legitimate sites as covert channels: an extension to the concept of reversehttp tunnels. 2001, /http://gray-world.net/papers/lsacc.txt LastS [Accessedon June 2011].

Kartaltepe EJ, Morales JA, Xu S, Sandhu R. Social network-based botnet command-and-control: emerging threats and countermeasures. In: Proceedings of the8th international conference on applied cryptography and network security.ACNS 2010; 2010. p. 511–28.

Kwan M. GIFShuffle. 2003, /http://www.darkside.com.au/gifshuffle//S [Lastaccessed on August 2011].

Lee IS, Tsai WH. A new approach to covert communication via PDF files. SignalProcessing 2010;90(2):557–65.

Li B, Huang J, Shi Y. Steganalysis of YASS. IEEE Transactions on InformationForensics and Security 2009;4(3):369–82.

Liu Q, Sung A, Qiao M. Derivative-based audio steganalysis. ACM Transactions onMultimedia Computing, Communications, and Applications (TOMCCAP)2011;7(3):18.

Liu Y, Corbett C, Chiang K, Laboratories SN, Archibald R, Ghosal D. SIDD: aframework for detecting sensitive data exfiltration by an insider attack. In:Forty-second Hawaii international conference on system sciences; 2009.p. 1–10.

McGreal C. FBI breaks up alleged Russian spy ring in deep cover; 2010.Mielikainen J. LSB matching revisited. IEEE Signal Processing Letters 2006;13(5):

285–7.Park B, Park J, Lee S. Data concealment and detection in Microsoft Office 2007 files.

Digital Investigation 2009;5(3–4):104–14.Petitcolas FAP. MP3Stego; 1998, /http://www.petitcolas.net/fabien/stegano-

graphyS [Last accessed on February 2011].Petitcolas FAP, Anderson RJ, Kuhn MG. Information hiding: a survey. In: Proceed-

ings of the IEEE, vol. 87. , IEEE; 1999. p. 1062–78.Provos N. Outguess; 2001. /http://www.outguess.org/S [last accessed on March

2011].Potdar V, Khan M, Chang E, Ulieru M, Paul R. e-Forensics steganography system for

terrorist information retrieval. Advanced Engineering Informatics 2005;19(3):235–41.

Schear N, Kintana C, Zhang Q, Vahdat A. Glavlit: preventing exfiltration at wirespeed. In: Proceedings of the 5th workshop on hot topics in networks(HotNets); 2006.

Shirali-Shahreza M. Stealth Steganography in SMS. In: Proceedings of the 2006 IFIPinternational conference on wireless and optical communications networks;2006. p. 11–3.

Simmons G. The history of subliminal channels. IEEE Journal on Selected Areas inCommunications 1998;16(4):452–62.

Kachhia-Patel, Amit. United States of America vs Anna Chapman and MikhailSemenko; 2010.

Van Schyndel R, Tirkel AZ, Osborne C. A digital watermark. In: Proceedings of theIEEE international conference on image processing, vol. 2. , IEEE ComputerSociety Press; 1994. p. 86–90.

Wayner P. Mimic functions. Cryptologia 1992;16(3):193–214.Whitehead A. Towards eliminating steganographic communication. In: Proceed-

ings of the 3rd annual conference on privacy, security, and trust; 2005.Zander S, Armitage G, Branch P. A survey of covert channels and countermeasures

in computer network protocols. IEEE Communications Surveys & Tutorials2007;9:44–57.

Zax R, Adelstein F. Faust: Forensic artifacts of uninstalled steganography tools.Digital Investigation 2009;6(1–2):25–38.

Zhong S, Cheng X, Chen T. Data hiding in a kind of PDF texts for secretcommunication. International Journal of Network Security 2007;4(1):17–26.